New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make GSS JAAS login optional #922

Merged
merged 3 commits into from Jan 4, 2018

Conversation

Projects
None yet
3 participants
@sigmaris
Contributor

sigmaris commented Aug 19, 2017

The scenario where this is useful: we have users who use the OS-native Kerberos support to obtain a Kerberos ticket-granting ticket when they start using their workstation. The Kerberos TGT is stored in the OS-native credential cache (e.g. an API: cache on Mac OS X, or a FILE: or KEYRING: cache on Linux). They later want to use a SQL client application (e.g SQL Workbench/J) that uses this JDBC driver to talk to PostgreSQL, using GSS authentication with their existing Kerberos ticket.

Unfortunately there is no support in Oracle's Krb5LoginModule for reading Kerberos tickets out of API: or KEYRING: credential caches, it only supports file ccaches, so the usage of Krb5LoginModule to try and obtain Kerberos credentials throws an exception.

However, there is support in Oracle JDK 8 for using the native GSS-API implementation on Linux, Solaris and OS X by setting the system property “sun.security.jgss.native” to true. That allows JGSS to use existing tickets stored in native credential caches, so no JAAS login is required. If we skip trying to read the ticket using Krb5LoginModule, and rely on the native implementation, users can authenticate to PostgreSQL using their existing native ticket, without an extra prompt for a password.

The default for this new option is true, i.e. do attempt JAAS login (unless the Subject already has GSS credentials), which is the same as the current behaviour. The option must explicitly be set to false to disable JAAS login.

@vlsi vlsi added the needs-review label Sep 25, 2017

@vlsi

This comment has been minimized.

Member

vlsi commented Sep 25, 2017

@sigmaris , do you think you could add AppVeyor configuration to test this PR?

@sigmaris

This comment has been minimized.

Contributor

sigmaris commented Sep 25, 2017

@vlsi, could you point me towards the existing AppVeyor configuration for this project? I'll try and add a test for this to it.

@davecramer

This comment has been minimized.

Member

davecramer commented Sep 25, 2017

I don't believe there is one.

@vlsi

This comment has been minimized.

Member

vlsi commented Dec 16, 2017

@vlsi

This comment has been minimized.

Member

vlsi commented Jan 4, 2018

Looks good to me.

@davecramer , what do you think?

@davecramer davecramer merged commit d7f0f27 into pgjdbc:master Jan 4, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@vlsi vlsi removed the needs-review label Jan 4, 2018

@vlsi vlsi added this to the 42.2.0 milestone Jan 4, 2018

rhavermans added a commit to bolcom/pgjdbc that referenced this pull request Jul 13, 2018

Make GSS JAAS login optional (pgjdbc#922)
* Add an option for disabling JAAS login

* Add documentation section for new option

* Improve docs wording

rhavermans added a commit to bolcom/pgjdbc that referenced this pull request Jul 13, 2018

Make GSS JAAS login optional (pgjdbc#922)
* Add an option for disabling JAAS login

* Add documentation section for new option

* Improve docs wording
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment